Cookie config needs a default (#366)

Adam Panzer · oreoshake · commit 4e1b8c2654fe · 2017-10-04T08:42:24.000-10:00
* Give cookies a default config #365 * An extra test * Test to make sure I can also be explicit * Update readme
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ The gem will automatically apply several headers that are related to security.
 - Expect-CT - Only use certificates that are present in the certificate transparency logs. [Expect-CT draft specification](https://datatracker.ietf.org/doc/draft-stark-expect-ct/).
 - Clear-Site-Data - Clearing browser data for origin. [Clear-Site-Data specification](https://w3c.github.io/webappsec-clear-site-data/).
 
-It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes (when configured to do so).
+It can also mark all http cookies with the Secure, HttpOnly and SameSite attributes. This is on default but can be turned off by using `config.cookies = SecureHeaders::OPT_OUT`.
 
 `secure_headers` is a library with a global config, per request overrides, and rack middleware that enables you customize your application settings.
 
diff --git a/lib/secure_headers/configuration.rb b/lib/secure_headers/configuration.rb
@@ -132,7 +132,7 @@ def deep_copy_if_hash(value)
     end
 
     def initialize(&block)
-      @cookies = nil
+      @cookies = self.class.send(:deep_copy_if_hash, Cookie::COOKIE_DEFAULTS)
       @clear_site_data = nil
       @csp = nil
       @csp_report_only = nil
diff --git a/lib/secure_headers/middleware.rb b/lib/secure_headers/middleware.rb
@@ -17,7 +17,7 @@ def call(env)
         Kernel.warn(HPKP_SAME_HOST_WARNING)
       end
 
-      flag_cookies!(headers, override_secure(env, config.cookies)) if config.cookies
+      flag_cookies!(headers, override_secure(env, config.cookies)) unless config.cookies == OPT_OUT
       headers.merge!(SecureHeaders.header_hash_for(req))
       [status, headers, response]
     end
diff --git a/spec/lib/secure_headers/configuration_spec.rb b/spec/lib/secure_headers/configuration_spec.rb
@@ -91,5 +91,27 @@ module SecureHeaders
         end
       }.to raise_error(ArgumentError)
     end
+
+    it "gives cookies a default config" do
+      expect(Configuration.default.cookies).to eq({httponly: true, secure: true, samesite: {lax: true}})
+    end
+
+    it "allows OPT_OUT" do
+      Configuration.default do |config|
+        config.cookies = OPT_OUT
+      end
+
+      config = Configuration.get
+      expect(config.cookies).to eq(OPT_OUT)
+    end
+
+    it "allows me to be explicit too" do
+      Configuration.default do |config|
+        config.cookies = {httponly: true, secure: true, samesite: {lax: false}}
+      end
+
+      config = Configuration.get
+      expect(config.cookies).to eq({httponly: true, secure: true, samesite: {lax: false}})
+    end
   end
 end
